Bungling Cyber Spy Stalks Iran

Over the past two years, governments in the Middle East have been targeted by sophisticated spying software, apparently created by world-class researchers whom unknown nation-states are paying to target sensitive data and infrastructure. Yet the latest piece of malware successfully spying on banks, government departments, and companies in Iran and nearby countries is almost laughably amateur. Experts believe that the software, called Mahdi, may have been created by activists. This possibility suggests that the United States and other governments fretting about their vulnerability to cyberwar (see “NSA Boss Wants More Control Over the Net”) may need to worry about more than just other nations.

“One of my initial reactions was ‘Are you kidding?’” says researcher Roel Schouwenberg of the computer security company Kaspersky, referring to the ineptly created malware. Mahdi, which was named by researchers who discovered the program at the Israeli security company Seculert, is bloated, buggy, and written using techniques suggesting that its creators are significantly less talented than those behind Stuxnet, Flame, or Gauss, says Schouwenberg. Those forms of malware, targeted at the Middle East, stunned researchers with their sophistication (see “A Way to Attack Nuclear Plants” and “The Antivirus Era Is Over”).

Yet Mahdi has still been effective. Once it has infiltrated a computer, it secretly sends data back to its operators—documents, logs of keystrokes, audio recordings, and screenshots of activities such as a user accessing e-mail. “It has managed to infiltrate companies in the financial sector and critical infrastructure,” says Schouwenberg. Other targets include government departments and engineering researchers and students.

Although apparently nation-backed tools such as Stuxnet, Flame, and Gauss attacked similar targets, Mahdi’s crude design raises the prospect that no government footed the bill for its creation, says Aviv Raff, a cofounder of Seculert. “Because it’s quick and dirty work, we believe it could be the work of ‘hacktivists,’ not a direct nation-state-sponsored group,” he says.

Proving that would be nearly impossible, but Mahdi at the very least shows that these days, you don’t need the resources or skill of James Bond to take part in high-level espionage. Hacktivist groups such as Anonymous and LulzSec grabbed headlines last year by attacking well-known websites to draw attention to causes such as Wikileaks. Mahdi’s success suggests that such groups could do more than just stage the Internet equivalent of disruptive protests.

Mahdi spreads via an e-mail attachment, which opens a presentation that asks the user to click through a series of slides and ultimately to run a program embedded in one of them. By contrast, sophisticated malware such as Flame or Gauss can infect a machine without a user’s direct involvement, using software vulnerabilities that take months for skilled hackers to discover. Flame also involved complex cryptography that few people in the world could have created, says Schouwenberg, and did the “unthinkable” by compromising Microsoft Windows’ update system. “Flame was the best people in the world,” he says. “Mahdi doesn’t really compare.”

And yet Mahdi continues to successfully infect new targets, whereas Stuxnet, Flame, and Gauss were deactivated soon after security researchers closed in (see “A Cyber ‘Warhead’ With an Unknown Target”). Seculert first identified Mahdi in February and went public along with Kaspersky on July 17, but the malware is still operating and being improved. “They are still actively working on infecting machines,” says Raff. “They also tried to add additional features as well as to evade detection by antivirus vendors.”

Schouwenberg says that Mahdi has ballooned from around one megabyte to 10 megabytes. But even such a clunker of a program, he says, can be effective when companies and government organizations use poor security practices and fail to properly isolate their most valuable networks from those used for less critical tasks.

Even given the chance to track the malware at work, it is unlikely that Mahdi’s true origins will be uncovered. It was originally being controlled through a server in Iran but is now being operated using several servers in Canada, says Raff. Those are probably being paid for using false credentials or have been taken over for the purposes of the attack. If action were taken against those, Mahdi’s operators would simply create more or melt away and come back with a new tool, says Schouwenberg. So it will remain a mystery whether Mahdi is the tool of hacktivists or of a nation-state playing dumb.